Overstock.com - a popular online retailer was in for a nightmare as a glitch on their website allowed users to buy for stuff in Bitcoin Cash - while getting refunds in Bitcoins. For instance you buy something worth 0.01 Bitcoin Cash, you may get a refund of 0.01 Bitcoins in return - and the price difference between the two is massive.
Moreover, another glitch on the website allowed the users to pay for an item in Bitcoin Cash instead of Bitcoins without changing the price. For instance, if an item was on sale for 0.1 Bitcoins, you could have purchased it for 0.1 Bitcoin Cash - moreover, you can also claim a refund on the same and get paid 0.1 Bitcoins for the same.
Overstock, which sells a large variety of items - some being quite costly such as diamond rings, is one of the biggest and most trusted online retailers. The website has been accepting Bitcoin payments since 2014, in a partnership with Coinbase. All was going good till Overstock was accepting Bitcoin as a method of payment. However, mid-December, they decided to add support for Bitcoin Cash - and that is where the trouble began.
Just as Bitcoin prices shot over $17,000 - Overstock decided to add support for Bitcoin Cash, which was also getting quite popular. However, the thing worth noting was, that while Bitcoin Cash was priced in at close to $2000 - the difference between the two currencies was that of a whopping $15,000.
A security researcher from North Carolina found out that instead of paying in Bitcoins, users could pay the same amount in Bitcoin cash. For instance, if you are making a purchase of an item that costs you 0.001 Bitcoins, you could have paid 0.001 Bitcoin Cash to procure it.
The alarming thing here is that as per today's market rates, 0.001 Bitcoins would cost around $13.5 while 0.001 Bitcoin Cash would cost $2.5 - basically you pay $2.5 for an item worth $13.5. This could have potentially caused the company to lose millions.
Moreover, what made things worse was that you could pay in Bitcoin Cash and ask for refunds - which the company would give you in Bitcoins. Basically, you pay 0.001 Bitcoin Cash, and get 0.001 Bitcoins in return. This bug reportedly existed in the system for three weeks!
Had someone with a malicious intent caught hold of this bug, they could have made major profits worth hundreds of thousands of dollars in just minutes!
Overstack commented on this glitch on their website, saying: “We were made aware of an issue affecting cryptocurrency transactions and refunds by an independent researcher. After working with the researcher to confirm the finding, that method of payment was disabled while we worked with our cryptocurrency integration partner, Coinbase, to ensure they resolved the issue. We have since confirmed that the issue described in the finding has been resolved, and the cryptocurrency payment option has been re-enabled.”
Coinbase said “the issue was caused by the merchant partner improperly using the return values in our merchant integration API. No other Coinbase customer had this problem.”Coinbase told me the bug only existed for approximately three weeks.”
Security firm KrebsOnSecurity was the one which helped notify Overstack and Coinbase about this issue which led to it being resolved. This is indeed a lesson on how not to implement payments systems.